System and method for determining vulnerability metrics for graph-based configuration security
Abstract
A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method, comprising:
generating a multi-layer graph for a computer system comprising a collective network composed of a plurality of interconnected components, wherein the multi-layer graph comprises a configuration subgraph, a vulnerability subgraph, and a dependency subgraph;
determining, based on the multi-layer graph, a model for a multi-step attack on the computer system, by:
computing, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the computer system; and
computing, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on a utility of an associated component;
determining, based on the model, a set of attack paths that can be used in the multi-step attack; and
mitigating the multi-step attack on the computer system while preserving computer system functionality by modifying, based on the determined set of attack paths, at least one configuration associated with one of the plurality of interconnected components in the computer system or preserving the at least one configuration based on determining that preserving the system functionality outweighs a security impact associated with the determined set of attack paths.
2. The computer-implemented method of claim 1 , wherein a respective component of the plurality of interconnected components includes one or more of: a software component; a hardware component; a middleware component; and a networking component.
3. The computer-implemented method of claim 1 , wherein the computing, based on the first set of variables and the first set of tunable parameters, the likelihood of exploiting the vulnerability in the computer system involves using an extensible formula with one or more numerator factors and one or more denominator factors; wherein the one or more numerator factors corresponds to a first subset of variables in the first set of variables that contribute to increasing the likelihood of exploiting the respective vulnerability which is denoted as:
(1− e −c N ·ƒ N (x N ) );
wherein c N denotes a tunable parameter; x N denotes a variable; and ƒ N (x N ) denotes a function of variable x N ; and
wherein the one or more denominator factors corresponds to a second subset of variables in the first set of variables that contribute to decreasing the likelihood of exploiting the respective vulnerability which is denoted as:
e −c D ·ƒ D (x D ) ;
wherein c D denotes a tunable parameter; x D denotes a variable; and ƒ D (x D ) denotes a function of variable x D .
4. The computer-implemented method of claim 1 , further comprising:
determining, based on the likelihood of exploiting the respective vulnerability in the computer system, a probability value, wherein the probability value represents a label for an edge between two vulnerabilities in the vulnerability subgraph, and wherein the label indicates a relative probability with which the edge or attack path will be traversed in an attack or by an attacker while exploiting the next vulnerability in the multi-step attack;
wherein the vulnerability subgraph includes directed edges between pairs of vulnerability subgraph nodes,
wherein a first vulnerability subgraph node includes a set of directed edges to a corresponding subset of vulnerability subgraph nodes, and
wherein a respective directed edge from the first vulnerability subgraph node to a node in the subset of vulnerability subgraph nodes indicates a probability of exploiting the second vulnerability subgraph node.
5. The computer-implemented method of claim 4 , wherein a set of probabilities corresponding to the set of directed edges represents a probability distribution over the set of directed edges and an attack or an attacker will select one or more of the directed edges to exploit a next vulnerability subgraph node in the subset of vulnerability subgraph nodes.
6. The computer-implemented method of claim 1 , wherein the computing, based on the second set of variables and the second set of tunable parameters, the exposure factor indicating the impact of exploiting the vulnerability on the utility of the associated component involves using the following formula:
ef
(
v
,
h
,
x
)
=
0.1
·
Impact
(
v
)
e
c
·
f
(
x
)
;
wherein v denotes a vulnerability being exploited; h denotes a component in the computer system; Impact (v) denotes a first variable representing an impact score; denotes a second variable; e c·ƒ(x) denotes a factor contributing to the exposure factor; c denotes a tunable parameter to weight the contribution of the factor e c·ƒ(x) to the exposure factor; and ƒ(x) is a function of variable x; wherein a directed edge from a vulnerability subgraph node to a dependency subgraph node indicates the exposure factor; and wherein the impact of exploiting the vulnerability on the associated component results in a decrease in utility of the component in the computer system.
7. The computer-implemented method of claim 1 , wherein the first set of tunable parameters and the second set of tunable parameters are adapted based on an application and an operational context of the computer system; and wherein a respective tunable parameter associated with a respective variable is adjusted to weight a contribution of the respective variable to an overall score.
8. The computer-implemented method of claim 1 , further comprising:
displaying, on a screen of a user device, one or more interactive elements which allow the user to:
view the multi-layer graph comprising at least:
the configuration subgraph and generated configuration subgraph nodes;
the vulnerability subgraph and generated vulnerability subgraph nodes;
the dependency subgraph and generated dependency subgraph nodes; and
directed edges between nodes in a same subgraph or between nodes in different subgraphs;
select one or more attack paths; and
view an impact of the one or more attack paths executed sequentially or executed concurrently.
9. The computer-implemented method of claim 1 , wherein the first set of variables includes one or more of:
a set of known intrusion detection system rules associated with the vulnerability;
an amount of time elapsed since information about vulnerability became public; and
a Common Vulnerability Scoring System exploitability score.
10. The computer-implemented method of claim 1 , wherein the second set of variables includes one or more of:
a number of deployed intrusion detection system rules; and
a normalized Common Vulnerability Scoring System impact score.
11. A computer system, comprising:
a processor;
a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising:
generating a multi-layer graph for a composed system comprising a collective network of a plurality of interconnected components, wherein the multi-layer graph comprises a configuration subgraph, a vulnerability subgraph, and a dependency subgraph;
determining, based on the multi-layer graph, a model for a multi-step attack on the composed system, by:
computing, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the composed system; and
computing, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on a utility of an associated component;
determining, based on the model, a set of attack paths that can be used in the multi-step attack; and
mitigating the multi-step attack on the composed system while preserving composed system functionality by modifying, based on the determined set of attack paths, at least one configuration associated with one of the plurality of interconnected components in the composed system or preserving the at least one configuration based on determining that preserving the system functionality outweighs a security impact associated with the determined set of attack paths.
12. The computer system of claim 11 , wherein a respective component of the plurality of interconnected components includes one or more of: a software component; a hardware component; a middleware component; and a networking component.
13. The computer system of claim 11 , wherein the computing, based on the first set of variables and the first set of tunable parameters, the likelihood of exploiting the vulnerability in the composed system involves using an extensible formula with one or more numerator factors and one or more denominator factors; wherein the one or more numerator factors corresponds to a first subset of variables in the first set of variables that contribute to increasing the likelihood of exploiting the respective vulnerability which is denoted as:
(1− e −c N ·ƒ N (x N ) );
wherein c N denotes a tunable parameter; x N denotes a variable; and ƒ N (x N ) denotes a function of variable x N ; and
wherein one or more denominator factors corresponding to a second subset of variables in the first set of variables that contribute to decreasing the likelihood of exploiting the respective vulnerability is denoted as:
e −c D ·ƒ D (x D ) ;
wherein c D denotes a tunable parameter; x D denotes a variable; and ƒ D (x D ) denotes a function of variable x D .
14. The computer system of claim 11 , wherein the method further comprising:
determining, based on the likelihood of exploiting the respective vulnerability in the composed system, a probability value, wherein the probability value represents a label for an edge between two vulnerabilities in the vulnerability subgraph, and wherein the label indicates a relative probability with which the edge or attack path will be traversed in an attack or by an attacker while exploiting the next vulnerability in the multi-step attack;
wherein the vulnerability subgraph includes directed edges between pairs of vulnerability subgraph nodes,
wherein a first vulnerability subgraph node includes a set of directed edges to a corresponding subset of vulnerability subgraph nodes, and
wherein a respective directed edge from the first vulnerability subgraph node to a node in the subset of vulnerability subgraph nodes indicates a probability of exploiting the second vulnerability subgraph node.
15. The computer system of claim 14 , wherein a set of probabilities corresponding to the set of directed edges represents a probability distribution over the set of directed edges and an attack or an attacker will select one or more of the directed edges to exploit a next vulnerability subgraph node in the subset of vulnerability subgraph nodes.
16. The computer system of claim 11 , wherein the computing, based on the second set of variables and the second set of tunable parameters, the exposure factor indicating the impact of exploiting the vulnerability on the utility of the associated component involves using the following formula:
ef
(
v
,
h
,
x
)
=
0.1
·
Impact
(
v
)
e
c
·
f
(
x
)
;
wherein v denotes a vulnerability being exploited; h denotes a component in the composed system; Impact (v) denotes a first variable representing an impact score; x denotes a second variable; e c·ƒ(x) denotes a factor contributing to the exposure factor; c denotes a tunable parameter to weight the contribution of the factor e c·ƒ(x) to the exposure factor; and ƒ(x) is a function of variable x; wherein a directed edge from a vulnerability subgraph node to a dependency subgraph node indicates the exposure factor; and wherein the impact of exploiting the vulnerability on the associated component results in a decrease in utility of the component in the composed system.
17. The computer system of claim 11 , wherein the first set of tunable parameters and the second set of tunable parameters are adapted based on an application and an operational context of the composed system; and wherein a respective tunable parameter associated with a respective variable is adjusted to weight a contribution of the respective variable to an overall score.
18. The computer system of claim 11 , wherein the method further comprising:
displaying, on a screen of a user device, one or more interactive elements which allow the user to:
view the multi-layer graph comprising at least:
the configuration subgraph and generated configuration subgraph nodes;
the vulnerability subgraph and generated vulnerability subgraph nodes;
the dependency subgraph and generated dependency subgraph nodes; and
directed edges between nodes in a same subgraph or between nodes in different subgraphs;
select one or more attack paths; and
view an impact of the one or more attack paths executed sequentially or executed concurrently.
19. The computer system of claim 11 , wherein the first set of variables includes one or more of:
a set of known intrusion detection system rules associated with the vulnerability;
an amount of time elapsed since information about vulnerability became public; and
a Common Vulnerability Scoring System exploitability score.
20. The computer system of claim 11 , wherein the second set of variables includes one or more of:
a number of deployed intrusion detection system rules; and
a normalized Common Vulnerability Scoring System impact score.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.